feat(helm): add topologySpreadConstraints

Add support for Capsule deployment topologySpreadConstraints in Capsule Helm Chart. Signed-off-by: Zadkiel Aharonian <hello@zadkiel.fr>
docs: awareness of possible netpol overwrite set by tenant owners
2026-02-26 07:44:28 +00:00 · 2023-08-19 08:49:04 +02:00 · 2023-08-01 09:05:56 +02:00 · 2023-07-27 20:32:53 +02:00 · 2023-06-27 19:15:01 +02:00 · 2023-06-27 19:15:01 +02:00
13 changed files with 71 additions and 56 deletions
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.19.10 as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/charts/capsule/Chart.yaml
+++ b/charts/capsule/Chart.yaml
@@ -21,8 +21,8 @@ sources:

 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.4.3
+version: 0.4.6

 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.3.2
+appVersion: 0.3.3
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -85,6 +85,7 @@ Here the values you can override:
 | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
 | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
+| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
 | validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |

 ### Manager Parameters
--- a/charts/capsule/templates/deployment.yaml
+++ b/charts/capsule/templates/deployment.yaml
@@ -49,6 +49,10 @@ spec:
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      volumes:
        - name: cert
          secret:
--- a/charts/capsule/templates/validatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml
@@ -265,7 +265,7 @@ webhooks:
 {{- end }}
    service:
      name: capsule-webhook-service
-      namespace: capsule-system
+      namespace: {{ .Release.Namespace }}
      path: /tenantresource-objects
  failurePolicy:  {{ .Values.webhooks.tenantResourceObjects.failurePolicy }}
  name: resource-objects.tenant.capsule.clastix.io
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -126,6 +126,9 @@ replicaCount: 1
 # -- Set affinity rules for the Capsule pod
 affinity: {}

+# -- Set topology spread constraints for the Capsule pod
+topologySpreadConstraints: []
+
 podSecurityPolicy:
  # -- Specify if a Pod Security Policy must be created
  enabled: false
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -2769,7 +2769,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: clastix/capsule:v0.3.2
+        image: clastix/capsule:v0.3.3
        imagePullPolicy: IfNotPresent
        name: manager
        ports:
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -7,4 +7,4 @@ kind: Kustomization
 images:
 - name: controller
  newName: clastix/capsule
-  newTag: v0.3.2
+  newTag: v0.3.3
--- a/controllers/resources/processor.go
+++ b/controllers/resources/processor.go
@@ -172,6 +172,7 @@ func (r *Processor) HandleSection(ctx context.Context, tnt capsulev1beta2.Tenant
 			for _, o := range objs.Items {
 				obj := o
 				obj.SetNamespace(ns.Name)
+				obj.SetOwnerReferences(nil)

 				multiErr.Go(func() error {
 					kv := keysAndValues
--- a/docs/content/general/tutorial.md
+++ b/docs/content/general/tutorial.md
@@ -1308,6 +1308,12 @@ Kubernetes network policies control network traffic between namespaces and betwe

 To meet this requirement, Bill needs to define network policies that deny pods belonging to Alice's namespaces to access pods in namespaces belonging to other tenants, e.g. Bob's tenant `water`, or in system namespaces, e.g. `kube-system`.

+> Keep in mind, that because of how the NetworkPolicies API works, the users can still add a policy which contradicts what the Tenant has set, resulting in users being able to circumvent the initial limitation set by the tenant admin.
+>
+> Two options can be put in place to mitigate this potential privilege escalation:
+> 1. providing a restricted role rather than the default `admin` one
+> 2. using Calico's `GlobalNetworkPolicy`, or Cilium's `CiliumClusterwideNetworkPolicy` which are defined at the cluster-level, thus creating an order of packet filtering.
+
 Also, Bill can make sure pods belonging to a tenant namespace cannot access other network infrastructures like cluster nodes, load balancers, and virtual machines running other services.  

 Bill can set network policies in the tenant manifest, according to the requirements:
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
@@ -2591,9 +2591,9 @@
      },
      "dependencies": {
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -3827,9 +3827,9 @@
      },
      "dependencies": {
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -5611,9 +5611,9 @@
          }
        },
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -6352,9 +6352,9 @@
          }
        },
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -7799,9 +7799,9 @@
      "integrity": "sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A=="
    },
    "lilconfig": {
-      "version": "2.0.6",
-      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz",
-      "integrity": "sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.1.0.tgz",
+      "integrity": "sha512-utWOt/GHzuUxnLKxB6dk81RoOeoNeHgbrXiuGk4yyF5qlRz+iIVWu56E2fqGHFrXz0QNUhLB/8nKqvRH66JKGQ==",
      "dev": true
    },
    "lines-and-columns": {
@@ -8443,9 +8443,9 @@
      },
      "dependencies": {
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -8532,9 +8532,9 @@
      },
      "dependencies": {
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -10918,9 +10918,9 @@
          "dev": true
        },
        "nanoid": {
-          "version": "3.3.4",
-          "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
-          "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
+          "version": "3.3.6",
+          "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz",
+          "integrity": "sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==",
          "dev": true
        },
        "picocolors": {
@@ -10930,12 +10930,12 @@
          "dev": true
        },
        "postcss": {
-          "version": "8.4.19",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.19.tgz",
-          "integrity": "sha512-h+pbPsyhlYj6N2ozBmHhHrs9DzGmbaarbLvWipMRO7RLS+v4onj26MPFXA5OBYFxyqYhUJK456SwDcY9H2/zsA==",
+          "version": "8.4.25",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.25.tgz",
+          "integrity": "sha512-7taJ/8t2av0Z+sQEvNzCkpDynl0tX3uJMCODi6nT3PfASC7dYCWV9aQ+uiCf+KBD4SEFcu+GvJdGdwzQ6OSjCw==",
          "dev": true,
          "requires": {
-            "nanoid": "^3.3.4",
+            "nanoid": "^3.3.6",
            "picocolors": "^1.0.0",
            "source-map-js": "^1.0.2"
          }
@@ -11839,9 +11839,9 @@
          }
        },
        "semver": {
-          "version": "7.3.5",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.5.tgz",
-          "integrity": "sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==",
+          "version": "7.5.4",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+          "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
          "dev": true,
          "requires": {
            "lru-cache": "^6.0.0"
@@ -11898,9 +11898,9 @@
      }
    },
    "semver": {
-      "version": "6.3.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="
    },
    "semver-diff": {
      "version": "3.1.1",
@@ -11924,9 +11924,9 @@
      },
      "dependencies": {
        "semver": {
-          "version": "5.7.1",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+          "version": "5.7.2",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+          "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g=="
        }
      }
    },
@@ -12003,9 +12003,9 @@
          }
        },
        "semver": {
-          "version": "7.3.5",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.5.tgz",
-          "integrity": "sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==",
+          "version": "7.5.4",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+          "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
          "requires": {
            "lru-cache": "^6.0.0"
          }
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
@@ -8764,9 +8764,9 @@ semver-truncate@^1.1.2:
    semver "^5.3.0"

 "semver@2 || 3 || 4 || 5", semver@^5.3.0, semver@^5.4.1, semver@^5.5.0, semver@^5.6.0:
-  version "5.7.1"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7"
-  integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==
+  version "5.7.2"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.2.tgz#48d55db737c3287cd4835e17fa13feace1c41ef8"
+  integrity sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==

 semver@7.0.0:
  version "7.0.0"
@@ -8774,14 +8774,14 @@ semver@7.0.0:
  integrity sha512-+GB6zVA9LWh6zovYQLALHwv5rb2PHGlJi3lfiqIHxR0uuwCgefcOJc59v9fv1w8GbStwxuuqqAjI9NMAOOgq1A==

 semver@^6.0.0, semver@^6.1.0, semver@^6.1.1, semver@^6.1.2, semver@^6.2.0, semver@^6.3.0:
-  version "6.3.0"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.0.tgz#ee0a64c8af5e8ceea67687b133761e1becbd1d3d"
-  integrity sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==
+  version "6.3.1"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
+  integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==

 semver@^7.3.2:
-  version "7.3.5"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.5.tgz#0b621c879348d8998e4b0e4be94b3f12e6018ef7"
-  integrity sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==
+  version "7.5.4"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
+  integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
  dependencies:
    lru-cache "^6.0.0"

--- a/pkg/webhook/pvc/pv.go
+++ b/pkg/webhook/pvc/pv.go
@@ -77,7 +77,7 @@ func (p PV) OnCreate(client client.Client, decoder *admission.Decoder, recorder
 			return utils.ErroredResponse(NewMissingTenantPVLabelsError(pv.GetName()))
 		}

-		if value != p.capsuleLabel {
+		if value != tnt.Name {
 			return utils.ErroredResponse(NewCrossTenantPVMountError(pv.GetName()))
 		}
Author	SHA1	Message	Date
Zadkiel Aharonian	904dcfc185	feat(helm): add topologySpreadConstraints Add support for Capsule deployment topologySpreadConstraints in Capsule Helm Chart. Signed-off-by: Zadkiel Aharonian <hello@zadkiel.fr>	2023-08-19 08:49:04 +02:00
jandres - moscardo	af29cebea7	docs: awareness of possible netpol overwrite set by tenant owners Co-authored-by: Dario Tranchitella <dario@tranchitella.eu> Co-authored-by: jandres - moscardo <titansmc@gmail.com>	2023-08-01 09:05:56 +02:00
dependabot[bot]	ebc249591e	build(deps): bump semver from 5.7.1 to 5.7.2 in /docs Bumps [semver](https://github.com/npm/node-semver) from 5.7.1 to 5.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v5.7.1...v5.7.2) --- updated-dependencies: - dependency-name: semver dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2023-07-27 20:32:53 +02:00
Dario Tranchitella	64513b8dee	chore(helm): releasing v0.3.3	2023-06-27 19:15:01 +02:00
Dario Tranchitella	d2dd055818	chore(kustomize): releasing v0.3.3	2023-06-27 19:15:01 +02:00
Dario Tranchitella	e6074a86c0	build(go): upgrading to 1.19.10	2023-06-27 19:10:29 +02:00
Max Fedotov	51b23d16dc	fix: incorrect capsule label comparison in PVC webhook	2023-06-27 19:10:03 +02:00
Max Fedotov	45ad56c586	fix: remove ownerReferences from tenantResource namespacedItems before applying them	2023-06-27 19:05:56 +02:00
Max Fedotov	6cd62d9e91	fix(helm): remove hardcoded capsule-system namespace for tenantresource-objects webhook	2023-06-27 15:04:58 +02:00